Register now for better personalized quote!

This new Linux malware has a sneaky way of staying hidden

Jun, 14, 2022 Hi-network.com

Mysterious hacker hands typing on a laptop keyboard.

Getty

A newly discovered stealthy piece of Linux malware called Syslogk delivers a backdoor that remains hidden on the targeted machine until its controller, from anywhere on the internet, transmits so-called 'magic packets'. 

According to researchers at Avast, the Syslogk Linux rootkit delivers the backdoor trojan known as Rekoobe and uses numerous techniques to keep the backdoor hidden until needed. 

Linux

  • The best Linux laptops for consumers and developers
  • Want to save your aging computer? Try these 5 Linux distributions
  • The best distros for beginners
  • How to enable Linux on your Chromebook (and why you should)

Fortunately, the version of Syslogk Avast analyzed only works on older versions of the Linux kernel, but the malware appears to be under development. 

SEE: Cloud computing security: Where it is, where it's going

Rekoobe malware has been used by the group APT31 or what Microsoft calls Zirconium, a China state-sponsored threat actor. Rekoobe is based on TinyShell, an open-source project for a UNIX backdoor. There are references in the Syslogk rootkit to TinyShell dating back to December 13, 2018.

Meanwhile, Syslogk is based primarily on the Chinese open-source kernel rootkit for Linux called Adore-Ng, which as of this year was still under development but currently only supports Linux kernel version 3.x, versus the 5.x series of the kernel currently being developed. 

Syslogk adds new functionalities to make the user-mode application and the kernel rootkit harder to detect than Adore-Ng, which can already hide files, its processes and the kernel module. 

Avast researchers believe this group developed Rekoobe and Syslogk specifically for them to run hand-in-hand. 

The Rekoobe sample Avast found was embedded in a fake SMPT mail server. The backdoor is triggered when it receives specially crafted TCP packets or the so-called "magic packets" from the remote attacker. It's possible for the attacker using Syslogk with magic packets to remotely stop and start the Rekoobe backdoor. 

The firm explains the role of magic packets affects Syslogk's ability to remotely start Rekoobe in user space mode. 

"Instead of continuously running the payload, it is remotely started or stopped on demand by sending specially crafted network traffic packets," it explains. 

"These are known as magic packets because they have a special format and special powers. In this implementation, an attacker can trigger actions without having a listening port in the infected machine such that the commands are, in some way, 'magically' executed in the system."

SEE: Cloud computing dominates. But security is now the biggest challenge

Despite the limited support for Linux kernel versions, Avast argues the combination of Syslogk and Rebooke on a fake SMTP server is a powerful toolset for an attacker.  

"We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server. Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely 'magically' executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server."

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.